I’m experimenting with stateless NAT using nftables. On the page about statelessly mangling protocol fields, the author says:
Keep in mind the interactions with conntrack, flows with mangled traffic must be untracked
Out of curiosity, what are some of the bad things that can happen if I fail to do this? I can’t seem to find any information on this point.
Connection tracking starts before the mangle table is processed, so the tracked connection would not match the mangled packets, making it useless at best or blocking connectivity at worst.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.